Alert vs. Log?

["Nels Lindquist" <nlindq () maei ca>]

Okay, I'm confused.

What exactly is the difference between "log" and "alert?"  I'm using 
snort 1.8.3 with the following output configuration in 
/etc/snort/snort.conf:

output database: log, mysql, user=[user] password=[password] 
dbname=snort

Snort is launched from a SysV init script as follows:

daemon /usr/local/bin/snort -u snort -g snort -d -D \
        -i $INTERFACE -c /etc/snort/snort.conf

Now, I was under the impression that logging to a database was the 
desired behaviour, and that doing so would override the default 
logging to syslog, text file etc.  However, alerts are still being 
recorded in /var/log/snort/alert in plain ASCII.  I don't want 'em 
there; I'm using ACID to look at the alerts which are logged in the 
MySQL database.

So how do I convince snort that I don't want ASCII alerts?  If I add 
"-A none" to the snort command line, then *all* logging (including 
the database) is turned off, not just alerts.  I would have thought 
I'd need "-N" on the command line to turn off logging, but apparently 
not.  If I switch the output database definition to "alert" instead 
of "log", then I don't get all the details about IP addresses, etc.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users